Behind the Great Wall


For anyone who hasn’t been to China yet, the realization when you get there that the ‘Internet’ isn’t the ‘Internet’ can be slightly alarming. China blocks many of the most popular web sites and services that the Free World uses on a daily basis.

Forget updating your Facebook page, YouTube, or your personal blog to 'show and tell' your friends and family about your wonderful trip to the Great Wall, Forbidden City, or Summer Palace. Forget also about catching up on news from popular news sites. Most are blocked - especially if there's a story about China!

No other country censors the Internet quite like the People’s Republic of China does. It determines almost completely what it allows its 1.4 Billion citizens to read, write, listen to, watch, or post. .... No other country that is, excluding the more than slightly isolated kingdom of North Korea where there’s often no electricity even if you are one of the few elites allowed to access a computer.

Twitter, Blogger, Gmail, Google Plus, even the Google Search Engine are all blocked at the present time. Major publications like The New York Times, The Wall Street Journal, BBC, The Times, and Bloomberg are blocked also. China doesn’t permit the free flow of information in or out of the country, so if you want your service to be accessible to China’s 618 million online users you have to abide by China’s rules, and that means you need to self-censor or be blacked out entirely. Some companies like Google for example refuse to censor the truth, re-write history, or compromise its charter to “do no evil’ for the sake of doing business in China. Consequently, and at the present time, Google is to put it lightly, not particularly liked by the China Net Police.

China effectively has its own 'national intranet', with its own providers and its own rules. So far, none of the big U.S. Internet firms has managed to make significant headway there, and the ones who try must play by the rules. LinkedIn, for instance, which entered the market this year, is drawing flak for blocking posts about political matters in China. Even sensitive pages in Wikipedia are blocked.

Bing and Yahoo search engines work but forget searching for such heinous terms as ‘Tienanmen Square Massacre’, ‘Dalai Lama’, ‘Muslim ethnic riots', ‘protests in Tibet’ or ‘Chinese Official corruption’. These things don’t exist as far as China is concerned unless the government says so. They are mere ‘untruths’ fabricated by the West to make China look bad. Its not quite George Orwell’s '1984', but there are a lot of similarities. China allows just enough freedom to make its citizens believe that they have free access. It regards its filtering actions as being nothing more than paternalistic protection of its citizens.

There is no official warning or 'verboten' page for trying to access blocked content. Your request will just time-out as if the web site is down rather than being blocked. Sometimes its hard to know whether the site or service is purposely blocked, or whether the traffic-slowing 'Great Firewall', or the less than stellar China network is to blame. You just have to try later. The notion of things like 'Internet quality of service' (QOS) in China simply doesn’t exist. One day you can connect with decent bandwidth, the next, nothing seems to work properly. That is however as much for internal China hosted web sites as it is for ones hosted overseas.

There is no official censorship list either. Sites and services just get blocked - sometimes returning, sometimes not, depending upon relationships with the West, and internal political activities like self immolation in downtown Beijing, and Lhasa, or protesting and rioting ethnic Uighur separatists in Western China’s Xinjiang province much of which was once called 'East Turkestan' before China occupied it in 1949.
Pro Democracy Protests / Tiananmen Square Massacre
Of course the 25th anniversary this month of the Tiananmen Square Massacre in which untold thousands of Chinese students and ordinary citizens, along with paramedics and doctors treating the injured, were gunned down, bayoneted, or purposely run over by tanks has been an especially auspicious time for the censors. The mere thought that the Chinese population should find out about the events of 1989 when China's leaders mobilized complete battalions of the Peoples Liberation Army (PLA), and sent over 300,000 armed troops and tank regiments into Beijing to break up the peaceful democracy protest, sends shivers down their spines. This month, even shortwave radio is blocked - just in case the BBC Word Service or Voice of America should mention the anniversary.

As for available services - unblocked web sites or email for example, forget the idea that your surfing or email messages are private. You should fully expect that someone, somewhere, in China is monitoring what you do, what you read and what you write. Even SSL/TLS email and web sites are often decrypted by the Great Firewall, examined and filtered before being sent on.
Don't expect western style privacy in China but something closer to Orwell's "1984"
Your only option for secure communications with the outside world is VPN and even then it can be touch and go, and you absolutely need to set this up before landing in China. Encryption keys need to be long and complex and set to the highest encryption strength supported by your provider or VPN termination device outside of China. The web sites of companies that offer VPN services are generally blocked in China, so if you don’t have a service agreement beforehand and your encryption keys along with your setup information with you when you arrive in China, tough luck!

PPTP is generally blocked. I’ve found it to work at major western branded hotels in big cities like Beijing, but blocked in the same hotel chain in other cities.

L2TP is a lot better and generally works in many upmarket western or Chinese hotels.

The fact is that things change all the time in China so come prepared.

Your best bet however, is SSL VPN which uses SSL rather than an IpSec tunnel to encapsulate traffic. Services and complexity of setup for both client and server can be more difficult, but its worth the extra cost and effort to ensure connectivity. Most SSL VPN clients can be configured to attempt connection on a number of ports and protocols. Your best bet is to include TCP port 443 in your configuration. This is the port commonly used for secure Web communications, so if your connection on a higher custom port fails, you can normally always get out and obtain a secure tunnel on TCP 443.

OS X, Windows and most Linux distros already contain the software needed to support PPTP and L2TP VPN connections. Third party applications such as Viscosity and Tunnelblick can be downloaded to support SSL VPNs and software found on the Apple Store and Google App Store for iOS and Android devices.

Hotels in China usually provide both wired and wireless Internet access. Wireless is usually ‘open’ meaning that your communication to the WiFi Access Point is unencrypted and could easily be observed, intercepted or exploited by ‘man-in-the-middle' attacks. You want to avoid connecting to any open wireless connection in China. Make sure that you bring an Ethernet cable and if using a Mac or slim laptop then a dongle to allow you to use the RJ45 socket in your room. A wired Ethernet connection could still be intercepted, but there's less chance of your average China hacker doing so. Besides, you can employ extra layers in your cyber defense as I'll explain.

Security in China is a MUST so rather than rely upon directly connecting your laptop to the wired network, and to facilitate access for other devices that only have WiFi connection capabilities - iPads, iPhones, etc., consider bringing a simple wireless router-firewall and loading it with the open source DD-WRT firmware. You then have this router open an SSL VPN out of China so you can use one tunnel for everything, and secondly can setup a WPA2 WiFi network for your wireless devices in your hotel room so that they can connect securely too.

Builds of DD-WRT have been written and can be easily downloaded freely for most common consumer WiFi Routers from Linksys, Netgear, D-Link, etc., but you need to load a larger 'FULL' or 'VPN 'build to be able to use it as a your SSL VPN termination point. That usually requires additional RAM and Flash memory to load and run the build than an 'light or 'regular' build. Check out the DD-WRT Router Database for supported hardware and the Wiki for how to flash and configure both DD-WRT and to setup your VPN.

OpenWRT is an alternative project to DD-WRT though not as many devices are supported and its a little tougher to configure. It has great support for Linksys hardware however. There are a number of different projects within OpenWRT, including Tomato which is one of the more popular distros, but an Internet search will tell you what hardware is supported on which distro.

Remember to build out, test and if needed, troubleshoot your DD-WRT / OpenWRT loaded router BEFORE your trip to China.

Before purchasing or re-imaging a router, ensure that is has sufficient RAM and Flash memory to support a 'Full' or 'VPN' build of DD-WRT / OpenWRT.

Secondly, make sure that its power adapter is multi-voltage as China uses 220 to 240volts
.
A decent surge protector for all your electronic gear is probably a good investment also as the power in China is often quite dirty.

As to the privacy of your computer, tablet or smartphone, forget that too unless it never leaves your side. Web pages where you agree to the Internet access terms of service in the coffee shop or hotel, sometimes have malicious code that is automatically pushed without your knowledge to your system unless you have that system locked down WAY tighter than most users would. Creating a user account with minimal privileges is definitely a good precaution. The more concerned may consider taking a blank machine with nothing more than a locked hypervisor and a read-only virtual machine.

And forget leaving your device in your locked hotel room or safe while you go for breakfast too. You are not the only one with a key - even to a combination lock. The maid will have a forensic acquisition of your hard drive completed before you get to your second breakfast cup of coffee - even if that hard drive is full-disk-encrypted!
Big Brother is watching you
Of course if you happen to be in China on business, then expect to be targeted. Chinese companies, most of which are owned by the Chinese State or Peoples Liberation Army (PLA) have been issued 'five year plans' to catch up and surpass their western counterparts using any and all means available including outright theft of intellectual property and trade secrets. The paternalistic monitoring forces of China are eager to aid in this endeavor even in just the acquisition of your phone contacts, so don’t lose sight of your phone or anything else.

Watch out for hidden cameras too - especially if you maybe targeted. Cover keyboards and be very careful when entering passwords in computers, phone or hotel safes. And be concerned what you do / who you bring back to your room. Just assume that you are always being watched and that anything you do can be used against you.
Big Brother IS watching you in China
That being said, China is a great place to visit for short periods of time, so come prepared and enjoy your stay! Just be aware of the risks you face and take the appropriate precautionary measures to protect yourself and the data you may have with you.


Post Script
Eric Jacksch recently published an interesting article on the use of Chromebooks for international travel in order to safeguard private information. If crossing an international border concerns you with information on your laptop that simply should not be disclosed then this might be an option for you. However the same concerns exist for unfiltered and un-monitored access to the Internet when in China. Read Eric's full article

Mricon.com also published a Linux / Chromebook setup guide for attending conferences or meetings in China. MacWorld published a Data Security Guide while travelling with your Mac, iPad or iPhone.

Network World recently published a crackdown by the Communist Chinese Government on ISPs to block VPNs out of the country. China goes after unauthorized VPN access from local ISPs

1 comment:

  1. It is said that VPN service providers in China, such as ExpressVPN or Astrill, may not have the same security encryption anymore. According to a report from Tech in Asia, the infamous Great Firewall of China was accessed by an Infosec professional named Marc Brevand, and found out that two of the well-known VPN service providers lack security.

    It is a known fact that ExpressVPN and Astrill are the big names in China when it comes to VPN services. VPNs are normally used for protection and to prevent the government from monitoring personal Internet traffic. In China, there is a need to evade the Great Firewall of China, especially for travelers, because the country's firewall is set to block Google services that most people often use. Without evading the Great Firewall of China, there would be no access to Gmail, hangouts, Google map and drive, according to a blog Bevand posted recently.

    As stated in his blog, Brevand subscribed to ExpressVPN while he is in China, and upon using its service, he discovered that the said provider is using a 1024-bit key encryption. VPNs should use at least 2048-bit RSA key in encrypting Internet connection. For VPNs who use 1024-bit key RSA, there is a huge possibility that Internet security will be breached, added Brevand on his blog.

    Brevand added as a fact that China might already be watching over some, or possibly all, ExpressVPN subscribers because of its weak RSA key encryption. With regards to this matter, he reached out to ExpressVPN's management, and the company's response to him states, "We agree that the issue you have raised is important, and you're correct in that it has been on our backlog to fix for some time. We've now decided to prioritize the upgrade for the next month."

    Brevand mentioned that he also raised this issue to Astril, and on his updated blog, he received a personal email coming from the company's Chief Security Office that says "Effective today 1024bit cert (ASCA) has been removed from PKI and all clients are required now to use 2048bit cert."

    http://en.yibada.com/

    ReplyDelete